Re: Multiple signatures 024

[Matthew Mickel <mmickel () sourcefire com>]

Hi, Yaser-

Thanks for your submissions.  We will test these and get back to you when we have finished.  We would appreciate any 
relevant PCAPs that you have.  Best,

Matt Mickel

> On Mar 6, 2019, at 12:21 PM, Y M via Snort-sigs <snort-sigs () lists snort org> wrote:
>
> Hi,
>
> On the previous post, I may have misidentified AveMaria as PlugX. Not sure how I came up with that. I apologize for 
> any inconvenience this may have caused. Anyway, here is a new set of signatures, most of which have accompanying Yara 
> and ClamAV signatures.
>
> Thank you.
> YM
>
> # --------------------
> # Title: Win.Trojan.TheRat
> # Reference: Research
> # Tests: pcaps
> # Yara:
> #   - MALWARE_Win_Trojan_TheRat_Variant_1
> #   - MALWARE_Win_Trojan_TheRat_Variant_2
> #   - INDICATOR_Image_Embedding_Archive
> # ClamAV:
> #   - MALWARE_Win.Trojan.TheRat-Variant-1
> #   - MALWARE_Win.Trojan.TheRat-Variant-2
> #   - INDICATOR_Image_Embedding_Archive
> # Hashes:
> #   - 46cc296583d7ae1f6bdbe7a3f8d1c66f04a10a8fbc502b42e0b7eb15c3c0cad1
> #   - 484fb2977715262b2b6ded712c5846f10f6fb9594d9a61fb4488db88c102657c
> #   - 5ffcfe54e04748367dfc2bdaeab33fe80070d9b62b7032cac6e1def28cf67210
> #   - 90426ca0a5d0fad4bfbfef999b80577c3f592a247e29eb170490e20510076156
> #   - a21b719d48905fd06b2281a4a47bfa8605e895e1ad7812963d249f87368c42de
> #   - c301e722f409f0d5dd1c252c346f29a7f12a875e633c41216c1f88841854f68a
> #   - d85029c633e6705608b24bcd31c6c4ef23ce41a72238b7e19c190fed9d77b8b3
> #   - e0d0c5522eb9ff996ae422573e95ba43a29ff9dc70adc616440fc720146bf878
> # Note:
> #   - NullSoft and Inno packed binaries.
> #   - Images embedding archives extracted.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TheRat variant outbound connection 
> attempt"; flow:to_server,established; content:"/update.php?id="; fast_pattern:only; http_uri; content:"&stat="; 
> http_uri; content:"User-Agent: Mozilla/5.0 (Windows NT 5.1)|0D 0A|"; http_header; content:!"Accept"; http_header; 
> content:!"Content"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000544; 
> rev:1;)
>
> # --------------------
> # Title: PlugX DNS Tunneling
> # Reference: Research
> # Tests: pcaps
> # Yara:
> #   - MALWARE_Win_Trojan_PlugX_DLL
> # ClamAV:
> #   - MALWARE_Win.Trojan.PlugX_DLL
> # Hashes:
> #   - Initial Sample:
> #     - a3c66c8e929f582368e105c0ecedb0ead346494e9a14cf7e7d88f163049ce7f9 (RAR Archive)
> #     - bd8e56950c0c5878b298f97de2051c12d3c5714b6d01eb75b86797dc82732bbd (DLL)
> #   - Triage:
> #     - 9032a1644f525baaafa5199edf29fb18c71a8c221264c2890e1ec475138fc317 (RAR Archive)
> #     - 76b5bf13ba685211cf28f339dc18d691830f7006dd6630c2c6e80f18006cdb9e (DLL)
> #     - ece271ee20d3113b08862a1424f9d359a42270fbb3b2cdb9ccba6601248b0a7d (DLL)
> #     - e39e021c1867acf6e4af9f55756c30b5f2bf5e914c0960f4a2035d758966fb55 (RAR Archive)
> #     - 3fd178fbdf6b07a1f18c1b5749937db2cdf39b6e630fd1511409fb2c4d52e6ef (DLL)
> #     - bf423809330c5bf93bdf184075c2a0babcfa6fcda4f14a101e094c7b17677300 (RAR Archive)
> #     - a555193380d8c3c25a649e2393fb1366e9a5ac94a86a409eddc6f452474f986e (DLL)
> #     - 39c4b2371192a4365b8366e047355ba75fff6f78140dcac5f16306f6f50830cb (RAR Archive)
> #     - 507beb609fd324130d378b09f1c2bba147830a11e0e2d2447e8272cefe76e482 (DLL)
> # Note:
> #   - Signature 3:30881 is sufficient for detection but not
> #     enabled by default, and maybe bound to FPs.
> #   - Initial Sample was first observed 2017, but was not publicly available
> #     until recently.
>
> alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.PlugX dns tunneling outbound connection attempt"; 
> flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00 3F|"; offset:2; depth:11; fast_pattern; content:"|3F|"; 
> distance:63; byte_jump:0, 0, from_end, post_offset -5; content:"|00 10 00 01|"; distance:0; within:5; 
> metadata:ruleset community, service dns; classtype:trojan-activity; sid:8000545; rev:1;)
>
> # --------------------
> # Title: Suspected Molerats New Attack in the Middle East
> # Reference: https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/ 
> <https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/>
> # Tests: pcaps
> # Yara:
> #   - INDICATOR_Suspicous_Binary_Packed
> #   - INDICATOR_Base64_Binary__Packed
> # ClamAV:
> #   - INDICATOR_Suspicous_Binary_Packed
> #   - INDICATOR_Base64_Binary_Packed
> # Hashes:
> # Note:
> #   - Instead of a PCRE to match client body character set
> #     we look for the absense of a typical '=' in HTTP form.
> #   - Updated exisitng singature: INDICATOR_Win_Binary_Many_Builtin_Executables
> #     for ClamAV and Yara.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Molerats variant outbound 
> connection"; flow:to_server,established; urilen:1; content:"from: user"; http_header; content:"connection: close"; 
> http_header; content:"user-agent"; http_header; content:!"="; depth:30; metadata:ruleset community, service http; 
> classtype:trojan-activity; sid:8000546; rev:1;)
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Enigma packer executable file 
> download detected"; flow:to_client,established; flowbits:isnotset,file.msi; flowbits:isnotset,file.packed; 
> flowbits:isset,file.exe; file_data; content:".enigma1"; content:".enigma2"; distance:32; metadata:ruleset 
> communication, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:8000547; 
> rev:1;)
>
> # --------------------
> # Title: CVE-2018-20377
> # Reference: https://nvd.nist.gov/vuln/detail/CVE-2018-20377 <https://nvd.nist.gov/vuln/detail/CVE-2018-20377>
> # Tests: 
> # Yara: NA
> # ClamAV: NA
> # Hashes: NA
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Orange LiveBox privilage escalation attemp"; 
> flow:to_server,established; urilen:23; content:"/get_getnetworkconf.cgi"; fast_pattern:only; http_uri; 
> metadata:ruleset community, service http; classtype:attempted-admin; sid:8000548; rev:1;)
>
> # --------------------
> # Title: GreyEnergy’s overlap with Zebrocy
> # Reference: https://securelist.com/greyenergys-overlap-with-zebrocy/89506/ 
> <https://securelist.com/greyenergys-overlap-with-zebrocy/89506/>
> # Tests: 
> # Yara: NA
> # ClamAV: NA
> # Hashes: NA
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy outbound connection 
> attempt"; flow:to_server,established; content:"/help-desk/remote-assistant-service/PostId"; fast_pattern:only; 
> http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000549; rev:1;)
>
> # --------------------
> # Title: Zipped JS > PowerShell > GandCrab v5.2
> # Reference: Research
> # Tests: pcaps
> # Yara:
> #   - MALWARE_Win_JS_Downloader_Variant_1
> #   - MALWARE_Win_JS_Downloader_Variant_2
> #   - INDICATOR_JS_Obfuscation_Patterns
> # ClamAV:
> #   - Email.Trojan.ScriptDownloader (.cdb)
> #   - MALWARE_Win_JS_Downloader_Variant_1
> #   - MALWARE_Win_JS_Downloader_Variant_2
> # Hashes: List is too long to be shared here.
> # Notes:
> #   - HTTPS connections go to: hxxps://www[.]kakaocorp[.]link/includes/imgs/kaimhe.bmp 
> <hxxps://www[.]kakaocorp[.]link/includes/imgs/kaimhe.bmp>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.JS downloader outbound connection 
> attempt"; flow:to_server,established; urilen:<20; content:"User-Agent: Windows|0D 0A|"; fast_pattern:only; 
> http_header; content:!"Accept"; http_header; content:!"Content"; http_header; metadata:ruleset community, service 
> http; classtype:trojan-activity; sid:8000550; rev:1;)
>
> alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC DNS request to known malicious domain - GandCrab Ransomware"; 
> flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|kakaocorp|04|link"; fast_pattern:only; metadata:ruleset 
> community, service dns; classtype:trojan-activity; sid:8000551; rev:1;)
>
> alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware GandCrab variant certificate exchange"; 
> flow:to_client,established; ssl_state:server_hello; content:"|55 04 03 13 0E|kakaocorp.link 
> <http://kakaocorp.link/>"; fast_pattern:only; metadata:ruleset community, service ssl; classtype:trojan-activity; 
> sid:8000552; rev:2;)
>
> # --------------------
> # Title: EdgeSpot detects PDF samples tracking users who use Google Chrome as local PDF viewer
> # Reference: https://blog.edgespot.io/2019/02/edgespot-detects-pdf-zero-day-samples.html 
> <https://blog.edgespot.io/2019/02/edgespot-detects-pdf-zero-day-samples.html>
> # Tests: pcaps
> # Yara:
> #   - MALWARE_Pdf_Trojan_Ticanoti_Variant_1
> #   - MALWARE_Pdf_Trojan_Ticanoti_Variant_2
> #   - MALWARE_Pdf_Trojan_Ticanoti_Variant_3
> # ClamAV:
> #   - Pdf.Trojan.Ticanoti-Variant-1
> #   - Pdf.Trojan.Ticanoti-Variant-2
> #   - Pdf.Trojan.Ticanoti-Variant-3
> # Hashes:
> #   - 0cc1234c981806dd22e0e98e4be002e8df8d285b055e7f891ff8e91af59aee1e
> #   - 2dd6ade4d0d4dc8224b28f8819b1c49bb7ae4025933e737ac8069c496d88bb43
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Pdf.Trojan.Ticanoti outbound information 
> leak detected"; flow:to_server,established; content:"/nocache/"; http_uri; content:"?page="; http_uri; 
> fast_pattern:only; content:"//mhjfbmdgcfjbbpaeojofohoefgiehjai|0D 0A|"; http_header; metadata:ruleset community, 
> service http; classtype:trojan-activity; sid:8000553; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Pdf.Trojan.Ticanoti outbound information 
> leak detected"; flow:to_server,established; content:"//mhjfbmdgcfjbbpaeojofohoefgiehjai|0D 0A|"; fast_pattern:only; 
> http_header; http_header; content:"<</F<</F(file////"; http_client_body; metadata:ruleset community, service http; 
> classtype:trojan-activity; sid:8000554; rev:1;)
>
> # --------------------
> # Title: HawkEye / iSpy
> # Reference: Research
> # Tests: pcaps
> # Yara:
> #   - INDICATOR_Win_DotNet_Packed
> # ClamAV:
> #   - INDICATOR_Win_DotNet_Packed
> # Hashes:
> #   - 039aa11d64377ad3719a3d637a8930b58140f60fa3c3025bf362d5f1186dc388
> #   - 0432d8f8f5493463e21e63bec2775b0768883427a3c304ed5c654295fe194f54
> #   - 059caf37845d86effe76c9884cc1ac328fb3e9e173ea7a591e39471643e46cfc
> #   - 3124000b9f0e4422ad5c153ea6c0b12e6740bb0672de53807b47b3fb1d96b9d1
> #   - 70030f1def1ff72fdcd64e31df5bb2f9edc53aa29552b7fe252aee6d8fb471f1
> #   - 79849bd2c0f7983623ed2da2a94a9cc57de192f823899d542887b7e87710ae1b
> #   - 9f7dca729655b97e79eff175797424b135790cf6e550b193285d04cb793e397a
> #   - b28f51704e94543040344a257555e8c0c3f175dcaff6a09bdd581503dfefd84e
> #   - b94eba88f222d0114ea940613ef7459a7d7f2ab9410abb9c1bfb2b59e063b92d
> #   - ba147bb736208f03e1272cd956078cc8d799dc5e0a087f1ead61c8ef20f8a1c4
> #   - bac7beac51934f584804cc38ab154d68e6085716704714051e5b1c433e1a87f6
> #   - d716c64eba90657a20742dd63adbef2ce23ba76ef743aec038665266f62072f0
> #   - e98f4dbfc2c5bfe7d4f8f4a21bcab3a4f8b0a577c1f25b417371b9047eba6e66
> #   - f0170c0df25cbcb224d2237836d94d5dcc23a628fdd13300fdf085dd0a1bcbeb
> # Notes:
> #   - SID 8000512 from a previous sigs post is valid in this context.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye/iSpy outbound connection 
> attempt"; flow:to_server,established; content:"Subject: HawkEye Keylogger "; fast_pattern:only; metadata:ruleset 
> community, service smtp; classtype:trojan-activity; sid:8000555; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye/iSpy outbound connection 
> attempt"; flow:to_server,established; content:"- Passwords Logs -"; fast_pattern:only; metadata:ruleset community, 
> service smtp; classtype:trojan-activity; sid:8000556; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye/iSpy outbound connection 
> attempt"; flow:to_server,established; content:"- Keyboard Logs -"; fast_pattern:only; metadata:ruleset community, 
> service smtp; classtype:trojan-activity; sid:8000557; rev:1;)
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org>
> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs>
>
> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette 
> <https://snort.org/faq/what-is-the-mailing-list-etiquette>
>
> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to 
> catch the most <a href=" https://snort.org/downloads/#rule-downloads 
> <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!